Security

Cheat Sheet: Virus names and alerts

Is a yellow warning on MyDoom.O better, worse or the same as a level 2 warning on MyDoom.P?
OK, well I know what computer viruses are so this should be straightforward - the name is just how they are distinguished from one another and the warning is an indication of how problematic things are at a given time?
Exactly. It really is that simple.

So what's the problem?
The problem is that things tend not to be so simple in practice. Often warnings for the same virus, from conflicting sources end up with differing names and differing levels of threat assessment - creating a situation of confusion - what looks like three virus outbreaks of differing severity is actually one outbreak.

Really? How so?
It's not uncommon for one vendor to go public with an alert about a 'new' virus which they have proudly named (often the person who writes the first signature gets the honour of doing so), only for another vendor, or vendors, to pipe up and point out it's just a variant of a previous virus which is currently being named elsewhere using an agreed variant naming standard. It's also not uncommon for different vendors to have given the same variant different names - so with the new name and two variant names the one virus takes on three identities.

What happens then?
According to Natasha Staley, information analyst at MessageLabs in the case of the mistakenly identified new virus name "the first vendor quietly renames it after a few days have passed" in line with the rest of the industry (and probably learns an important lesson about jumping the gun).

The issue of differing variant names is even more complex.

Oh really? Do go on...
The standard naming convention for viruses is to use a new letter of the alphabet for each variant. So once agreed that it isn't a new virus and is simply a variant of a previous one the following system is adopted: MyDoom-A, B, C, D, E, F, G, H, I, J, K, L for each new iteration.

Don't tell me, let me guess. M, came next, right?
Normally you would be right, but with MyDoom, and Netsky in particular, by the time we reached the middle of the alphabet things were starting to fall apart and simple agreement over the ordering of the alphabet was not to be taken for granted.

According to Staley: "One vendor will develop a signature for one variant that is also able to identify the next variant as well. However, other vendors only have a signature that's capable of detecting the previous variant, so they need another identity file - and therefore another virus name. This is usually the reason why one vendor is up to variant -T and others are at -U or -V."

With MyDoom vendors differed considerably by the time -M was doing the rounds. The differing technology means some vendors will often concede their variant -P or -O is another company's -M.

Confusing...
And then some - the dozens of virus reports which start circulating begin to look a little somebody has spilled their Alphabetti-Spaghetti.

And with virus 'fire-fighting' taking up more and more of their time this is exactly the kind of confusion most techies could do without. Imagine being a fireman and trying to put out fires if the emergency services were giving you street names which differed from those on your map.

It wouldn't be easy...
No and it doesn't get much better where establishing the extent of the threat is concerned. Some companies use colour schemes - the old fashioned 'red alert' being worst. Others use numbers, while others use words. Leaving a confused techie in all sorts of trouble trying to work out whether the MyDoom-O he heard about on the news, which was a yellow-alert, is the same as the MyDoom-M virus which his anti-virus company has given a medium-threat alert, or a threat rating of 2 out of 5, for example.

It's a problem which isn't lost on the industry either, but few are likely to make the concessions necessary.

Why not?
For the simple reason that most people will want to keep their own standards in place - offering a 'why don't you all adopt our standard' invite to their peers. Their customers probably know what's what and what works and therefore what suits the wider industry or the press isn't really a top priority.

Speaking recently, one IT security vendor said: "Can you really imagine McAfee and Symantec sitting down and talking these things over? It's not going to happen. It's about as likely as getting world peace."

But not as important, right?
No of course not. This isn't life and death, we're just talking about bringing a little order to an industry which has faced criticism of over-complexity in recent years and some accusations of hype. (It would also make things easier for us journalists who have to write about such things as well - but we don't expect that to be a deal-breaker.) Greater clarity of terms and threats would go some way to healing any wounds left by such claims - after all confusion could be seen as a great aid to sales and marketing, but no respected AV company would want to trade on it.

Wouldn't they?
No of course not.

Hmmm...

0 comments

Editor's Picks